2. Brief professional career overview
2
www.linkedin.com/in/vshabad - a lot of details
CIO, CISO at Global, Kazakhstan,
and Russian companies
CEO of small system integrator in Russia,
system architect and project manager
Network engineer, head of department
Software developer
2018-2022
2000-2018
1993-2000
1985-1996
4. What should be in a (sane) cybersecurity
strategy?
Cyber Risk management
• What and from what we protect?
• How do we classify the risks?
• What are we doing to make the risks acceptable?
Authority, resources, competency areas
• Rights and responsibilities of the CISO
• Rights and responsibilities of the CIO and CTO
• Rights and responsibilities of business leaders
Compromises made
• What is more critical - confidentiality or availability?
• What is more critical - performance or security?
• ...
Regulatory rules
Nizhny Novgorod residents filmed a rat in the
MUKKA restaurant, but the owner is sure it was
planted. Marketers even provided video from
cameras installed in the institution.
6. What (sometimes) the (non-well) strategies look
like?
Источник: https://bestyrelsesforeningen.dk/wp-content/uploads/2020/07/CISO-Mind-Map.pdf
7. (Sane) limiting the number of cybersecurity
initiatives
● First phase:
○ Assets and services
inventory
○ Acceptable Use Policy
design
● Second phase:
○ Vulnerability
management policies
and procedures design
○ Vulnerability
management
automation
● …
8. Some parts of a real sane cybersecurity strategy
● Company – US-based software vendor
● The most important asset to protect – the company’s reputation
● Key threat – malware spread via software distributive image
● Key vulnerable surfaces:
○ 3rd party libraries and components
○ own source code (for instance, buffer overflow))
○ Docker repository (image substitution)
● One of the compromises – the opportunity to publish the release with open
critical vulnerabilities, if:
○ list of all known open critical vulnerabilities published in the documentation set
○ CTO signed this list and explicitly took personal responsibility for them
○ all key customers are informed about these vulnerabilities two weeks before the release date
9. How a (sane) cybersecurity strategy helps business grow
● Income increase:
○ penetrating new markets requiring a high level of trust
○ increasing staff productivity
(removing unnecessary restrictions)
○ premium services for customers
(priority fix for security issues)
● Cost decrease:
○ downtime for new hires until access is granted
○ high cost of purchased enterprise-class laptops
○ purchased cybersecurity tools that are not actually used
10. The economy of Uzbekistan is booming…
-4
-2
0
2
4
6
8
2017 2018 2019 2020 2021
Annual
Gross
Domestic
Product
growth,
%
Kazakhstan
Russia
Uzbekistan
Source: https://datatopics.worldbank.org/world-development-indicators/themes/economy.html
11. I'll be glad to contribute!
● Development and updating of the
cybersecurity strategy
● Development and improvement of IT and
Cybersecurity processes
● Preparation for ISMS certification
vshabad@vshabad.com
+7 777 726 4790